Thing Policy Variables

Thing policy variables allow you to write AWS IoT policies that grant or
deny permissions based on thing properties like thing names, thing types,
and thing attribute values. The thing name is obtained from the client ID in
the MQTT Connect message sent when a thing connects to AWS IoT.
The thing policy variables are replaced when a thing connects to AWS IoT over
MQTT using TLS mutual authentication or MQTT over the WebSocket protocol
using authenticated Amazon Cognito identities. Thing policy variables are also
replaced when a certificate or authenticated Amazon Cognito identity is attached
to a
thing. You can use the AttachThingPrincipal API to attach certificates and
authenticated Amazon Cognito identities to a thing.

The following thing policy variables are available:

iot:Connection.Thing.ThingName

iot:Connection.Thing.ThingTypeName

iot:Connection.Thing.Attributes[attributeName]

iot:Connection.Thing.IsAttached

iot:Connection.Thing.ThingName

This resolves to the name of the thing for which the policy is being
evaluated. The thing name is set to the client ID of the MQTT/WebSocket
connection. This policy variable is available only when connecting over
MQTT or MQTT over the WebSocket protocol.

iot:Connection.Thing.ThingTypeName

This resolves to the thing type associated with the thing for which
the policy is being evaluated. The thing name is set to the client ID of
the MQTT/WebSocket connection. The thing type name is obtained by a call
to the DescribeThing API. This policy variable is available
only when connecting over MQTT or MQTT over the WebSocket
protocol.

iot:Connection.Thing.Attributes[attributeName]

This resolves to the value of the specified attribute associated with
the thing for which the policy is being evaluated. A thing can have up
to 50 attributes. Each attribute is available as a policy variable:
iot:Connection.Thing.Attributes[attributeName]
where attributeName is the name of the
attribute. The thing name is set to the client ID of the MQTT/WebSocket
connection. This policy variable is only available when connecting over
MQTT or MQTT over the WebSocket protocol.

iot:Connection.Thing.IsAttached

This resolves to true if the thing for which the policy
is being evaluated has a certificate or Amazon Cognito identity attached.